[openstack-dev] [keystone] LDAP identity driver with groups from local DB

Julian Edwards bigjools at gmail.com
Fri Jul 24 06:58:51 UTC 2015

On 24 July 2015 at 14:50, Steve Martinelli <stevemar at ca.ibm.com> wrote:
> The LDAP driver for identity shouldn't require write access to look up
> groups. It'll only require write access if you want to allow Keystone to
> create/delete/update new groups.
> Not sure what you mean by "requires an LDAP admin to set up groups
> separately" either. Have any more details you can share?

Hi Steve

Assuming LDAP access is read-only, group info would need to be set up
in the LDAP server itself prior to keystone accessing it.  This is not
something that many large corporations would be willing to
accommodate, which means you'd need to get group data from elsewhere.
Hence, my suggestion!

More information about the OpenStack-dev mailing list